libxml2: Fix for CVE-2023-45322

Backport patch for gitlab issue mentioned in NVD CVE report. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/583 Backport also one of 14 patches for older issue with similar errors to have clean cherry-pick without patch fuzz. * https://gitlab.gnome.org/GNOME/libxml2/-/issues/344 The CVE is disputed because the maintainer does not think that errors after memory allocation failures are not critical enough to warrant a CVE ID. This patch will formally fix reported error case, trying to backport another 13 patches and resolve conflicts would be probably overkill due to disputed state. This CVE was ignored on master branch (as diputed). (From OE-Core rev: 03b766e42beb42a2085285308acbcf941f346b06) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-01-12 08:34:06 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-01-21 08:33:19 -1000
commit: 2f7e1a230e17860dfc8fb735d4778510600a42db (patch)
tree: c75f12ee4494f38d95458123a5a7f80141043fd8
parent: 0948746aac0197b97fd4b6063a30b1bcda2c6436 (diff)
download: poky-2f7e1a230e17860dfc8fb735d4778510600a42db.tar.gz
3 files changed, 132 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 0000000000..182bb29abd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+Found with libFuzzer, see #344.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+            }
+            if (doc->intSubset == NULL) {
+                q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) return(NULL);
+               if (q == NULL) goto error;
+                q->doc = doc;
+                q->parent = parent;
+                doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        } else
+ #endif /* LIBXML_TREE_ENABLED */
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) return(NULL);
+       if (q == NULL) goto error;
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        node = node->next;
+     }
+     return(ret);
+error:
+    xmlFreeNodeList(ret);
+    return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 0000000000..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+Fixes #583.
+CVE: CVE-2023-45322
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tree.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
+++ b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+     xmlNodePtr ret = NULL;
+     xmlNodePtr p = NULL,q;
+    xmlDtdPtr newSubset = NULL;
+ 
+     while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+        if (node->type == XML_DTD_NODE ) {
+-           if (doc == NULL) {
+#ifdef LIBXML_TREE_ENABLED
+           if ((doc == NULL) || (doc->intSubset != NULL)) {
+                node = node->next;
+                continue;
+            }
+-           if (doc->intSubset == NULL) {
+-               q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-               if (q == NULL) goto error;
+-               q->doc = doc;
+-               q->parent = parent;
+-               doc->intSubset = (xmlDtdPtr) q;
+-               xmlAddChild(parent, q);
+-           } else {
+-               q = (xmlNodePtr) doc->intSubset;
+-               xmlAddChild(parent, q);
+-           }
+-       } else
+            q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+            if (q == NULL) goto error;
+            q->doc = doc;
+            q->parent = parent;
+            newSubset = (xmlDtdPtr) q;
+#else
+            node = node->next;
+            continue;
+ #endif /* LIBXML_TREE_ENABLED */
+       } else {
+            q = xmlStaticCopyNode(node, doc, parent, 1);
+-       if (q == NULL) goto error;
+           if (q == NULL) goto error;
+        }
+        if (ret == NULL) {
+            q->prev = NULL;
+            ret = p = q;
+@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+        }
+        node = node->next;
+     }
+    if (newSubset != NULL)
+        doc->intSubset = newSubset;
+     return(ret);
+ error:
+     xmlFreeNodeList(ret);
+-- 
+GitLab
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index aa17cd8cca..90d30f1ea7 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -42,6 +42,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
           file://CVE-2023-39615-0001.patch \
           file://CVE-2023-39615-0002.patch \
           file://CVE-2021-3516.patch \
+           file://CVE-2023-45322-1.patch \
+           file://CVE-2023-45322-2.patch \
           "
 SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-01-12 08:34:06 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-01-21 08:33:19 -1000
commit	2f7e1a230e17860dfc8fb735d4778510600a42db (patch)
tree	c75f12ee4494f38d95458123a5a7f80141043fd8
parent	0948746aac0197b97fd4b6063a30b1bcda2c6436 (diff)
download	poky-2f7e1a230e17860dfc8fb735d4778510600a42db.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch new file mode 100644 index 0000000000..182bb29abd --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
		1	From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 2 Nov 2022 15:44:42 +0100
		4	Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
		5
		6	Found with libFuzzer, see #344.
		7
		8	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
		9
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	tree.c \| 7 +++++--
		14	1 file changed, 5 insertions(+), 2 deletions(-)
		15
		16	diff --git a/tree.c b/tree.c
		17	index 507869efe..647288ce3 100644
		18	--- a/tree.c
		19	+++ b/tree.c
		20	@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		21	}
		22	if (doc->intSubset == NULL) {
		23	q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		24	- if (q == NULL) return(NULL);
		25	+ if (q == NULL) goto error;
		26	q->doc = doc;
		27	q->parent = parent;
		28	doc->intSubset = (xmlDtdPtr) q;
		29	@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		30	} else
		31	#endif /* LIBXML_TREE_ENABLED */
		32	q = xmlStaticCopyNode(node, doc, parent, 1);
		33	- if (q == NULL) return(NULL);
		34	+ if (q == NULL) goto error;
		35	if (ret == NULL) {
		36	q->prev = NULL;
		37	ret = p = q;
		38	@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		39	node = node->next;
		40	}
		41	return(ret);
		42	+error:
		43	+ xmlFreeNodeList(ret);
		44	+ return(NULL);
		45	}
		46
		47	/**
		48	--
		49	GitLab
		50


diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch new file mode 100644 index 0000000000..c7e9681e6a --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
		1	From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Wed, 23 Aug 2023 20:24:24 +0200
		4	Subject: [PATCH] tree: Fix copying of DTDs
		5
		6	- Don't create multiple DTD nodes.
		7	- Fix UAF if malloc fails.
		8	- Skip DTD nodes if tree module is disabled.
		9
		10	Fixes #583.
		11
		12	CVE: CVE-2023-45322
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
		14
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	tree.c \| 31 ++++++++++++++++---------------
		19	1 file changed, 16 insertions(+), 15 deletions(-)
		20
		21	diff --git a/tree.c b/tree.c
		22	index 6c8a875b9..02c1b5791 100644
		23	--- a/tree.c
		24	+++ b/tree.c
		25	@@ -4471,29 +4471,28 @@ xmlNodePtr
		26	xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		27	xmlNodePtr ret = NULL;
		28	xmlNodePtr p = NULL,q;
		29	+ xmlDtdPtr newSubset = NULL;
		30
		31	while (node != NULL) {
		32	-#ifdef LIBXML_TREE_ENABLED
		33	if (node->type == XML_DTD_NODE ) {
		34	- if (doc == NULL) {
		35	+#ifdef LIBXML_TREE_ENABLED
		36	+ if ((doc == NULL) \|\| (doc->intSubset != NULL)) {
		37	node = node->next;
		38	continue;
		39	}
		40	- if (doc->intSubset == NULL) {
		41	- q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		42	- if (q == NULL) goto error;
		43	- q->doc = doc;
		44	- q->parent = parent;
		45	- doc->intSubset = (xmlDtdPtr) q;
		46	- xmlAddChild(parent, q);
		47	- } else {
		48	- q = (xmlNodePtr) doc->intSubset;
		49	- xmlAddChild(parent, q);
		50	- }
		51	- } else
		52	+ q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
		53	+ if (q == NULL) goto error;
		54	+ q->doc = doc;
		55	+ q->parent = parent;
		56	+ newSubset = (xmlDtdPtr) q;
		57	+#else
		58	+ node = node->next;
		59	+ continue;
		60	#endif /* LIBXML_TREE_ENABLED */
		61	+ } else {
		62	q = xmlStaticCopyNode(node, doc, parent, 1);
		63	- if (q == NULL) goto error;
		64	+ if (q == NULL) goto error;
		65	+ }
		66	if (ret == NULL) {
		67	q->prev = NULL;
		68	ret = p = q;
		69	@@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
		70	}
		71	node = node->next;
		72	}
		73	+ if (newSubset != NULL)
		74	+ doc->intSubset = newSubset;
		75	return(ret);
		76	error:
		77	xmlFreeNodeList(ret);
		78	--
		79	GitLab
		80


diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb index aa17cd8cca..90d30f1ea7 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -42,6 +42,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
42	file://CVE-2023-39615-0001.patch \	42	file://CVE-2023-39615-0001.patch \
43	file://CVE-2023-39615-0002.patch \	43	file://CVE-2023-39615-0002.patch \
44	file://CVE-2021-3516.patch \	44	file://CVE-2021-3516.patch \
		45	file://CVE-2023-45322-1.patch \
		46	file://CVE-2023-45322-2.patch \
45	"	47	"
46		48
47	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"	49	SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"